Integrate Versa SASE with CrowdStrike Falcon
For supported software information, click here.
CrowdStrike Falcon® is a leading Endpoint Detection and Response (EDR) platform that delivers behavioral analysis, threat hunting, and rapid incident response through continuous endpoint surveillance and intelligent threat correlation.
EDR is a cybersecurity technology that monitors and responds to threats coming from endpoint devices such as laptops, mobile phones, and IoT devices. EDR primarily detects advanced threats that can evade front-line defenses and successfully enter the network environment. By collecting and aggregating data from endpoints and other sources, EDR can identify suspicious behavior and alert administrators to eliminate the threat before it spreads.
Configure CrowdStrike
Note: Before configuring EDR on Concerto, you must create an account with CrowdStrike and configure the EDR service to integrate with Concerto.
To configure CrowdStrike on Concerto:
- Go to Configure > Security Service Edge > Partner Integration > Endpoint Detection & Response.
- The following screen displays with the CrowdStrike tab selected by default.
- Enter information for the following fields.
Field Description Enabled Click the slider to enable CrowdStrike. Tenant ID Enter the tenant ID that was generated by CrowdStrike. Client ID Enter the client ID that was generated by CrowdStrike. Client Secret Enter the client secret that was generated by CrowdStrike. Cloud Region Enter the region of the CrowdStrike instance. Poll Interval Enter the time, in minutes, between polling actions.
Range: 10 through 1440 seconds
Default: 10
- Click Save.
View the ZTA Score for a Host from CrowdStrike
The ZTA dashboard includes the security posture information of all hosts and detailed information of each assessed host. The assessment by host table in the dashboard includes an OS assessment, a sensor assessment, and an overall assessment for each host, and the host details table provides more information about the security posture for each host.
To access the ZTA dashboard:
- Go to Host setup and management > Manage endpoints > Zero trust assessment.
- In the ZTA dashboard, scroll down to view the assessment by host information. The overall assessment score is a combination of operating system and sensor assessment. This score is taken as input from CrowdStrike Falcon to Versa SASE.
- To filter the hosts by Windows platform and to view the Windows assessment attributes, select the Customer ID, and then select the Platform to Windows.
- To view detailed information about the security posture of a host, click on the Host ID in the assessment by host table. The host details table displays.
- To view detailed information about the security posture of a host, click on the Host ID in the assessment by host table. The host details table displays.
- To filter the hosts by MAC platform and to view the MAC assessment attributes, select the Customer ID, and then select the Platform to MAC.
- To view detailed information about the security posture of a host, click on the Host ID in the assessment by host table. The host details table displays.
- To view detailed information about the security posture of a host, click on the Host ID in the assessment by host table. The host details table displays.
CrowdStrike APIs
You can use the following CrowdStrike APIs to retrieve the device ID, device details, and ZTA:
- Get device ID—GET /devices/entities/devices/v2
- Get device details—GET /devices/entities/devices/v2?ids=<ids>
- Get ZTA—GET /zero-trust-assessment/entities/assessments/v1
Enforce Protection Based on Unified Risk Score
You can configure secure client-based access rules and internet protection rules that use the risk scores of users or devices to control traffic. This allows you to deny or authenticate traffic from users who have high risk scores and allow trustworthy or low-risk traffic. For CrowdStrike, Versa Networks supports the following predefined EIP profiles and objects that you can use in security rules:
- eip-profile-endpoint_security-software-crowdstrike and eip-object-endpoint_security-software-crowdstrike—Check if CrowdStrike EDR agent is installed and running.
- eip-profile-endpoint_security-crowdstrike and eip-object-endpoint_security-crowdstrike—Check for CrowdStrike EDR
For more information, see Configure Unified Entity Risk Profiles in Concerto.
Supported Software Information
Releases 12.2.2 and later support all content described in this article.
Additional Information
Configure Endpoint Detection and Response
Configure SASE Internet Protection Rules
Configure SASE Private Application Protection Rules
Configure SASE Secure Client-Based Access Rules
Configure Unified Risk Profiles in Concerto
Integrate Versa SASE with Microsoft Defender
Monitor Concerto Orchestrator
Versa Analytics and CrowdStrike NG-SIEM Integration
View Concerto Security Dashboards